[PATCH] integrity: get comm using lock to avoid race in string printing
by Richard Guy Briggs
When task->comm is passed directly to audit_log_untrustedstring() without
getting a copy or using the task_lock, there is a race that could happen that
would output a NULL (\0) in the output string that would effectively truncate
the rest of the report text after the comm= field in the audit, losing fields.
Use get_task_comm() to get a copy while acquiring the task_lock to prevent
this and to prevent the result from being a mixture of old and new values of
comm.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
security/integrity/integrity_audit.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/security/integrity/integrity_audit.c b/security/integrity/integrity_audit.c
index 85253b5..11706a2 100644
--- a/security/integrity/integrity_audit.c
+++ b/security/integrity/integrity_audit.c
@@ -33,6 +33,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
const char *cause, int result, int audit_info)
{
struct audit_buffer *ab;
+ char comm[sizeof(current->comm)];
if (!integrity_audit_info && audit_info == 1) /* Skip info messages */
return;
@@ -49,7 +50,7 @@ void integrity_audit_msg(int audit_msgno, struct inode *inode,
audit_log_format(ab, " cause=");
audit_log_string(ab, cause);
audit_log_format(ab, " comm=");
- audit_log_untrustedstring(ab, current->comm);
+ audit_log_untrustedstring(ab, get_task_comm(comm, current));
if (fname) {
audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, fname);
--
1.7.1
10 years, 4 months
[PATCH 1/2] auditsc: audit_krule mask accesses need bounds checking
by Eric Paris
From: Andy Lutomirski <luto(a)amacapital.net>
Fixes an easy DoS and possible information disclosure.
This does nothing about the broken state of x32 auditing.
eparis: If the admin has enabled auditd and has specifically loaded audit
rules. This bug has been around since before git. Wow...
Cc: stable(a)vger.kernel.org
Signed-off-by: Andy Lutomirski <luto(a)amacapital.net>
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditsc.c | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 254ce20..842f58a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -728,6 +728,22 @@ static enum audit_state audit_filter_task(struct task_struct *tsk, char **key)
return AUDIT_BUILD_CONTEXT;
}
+static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
+{
+ int word, bit;
+
+ if (val > 0xffffffff)
+ return false;
+
+ word = AUDIT_WORD(val);
+ if (word >= AUDIT_BITMASK_SIZE)
+ return false;
+
+ bit = AUDIT_BIT(val);
+
+ return rule->mask[word] & bit;
+}
+
/* At syscall entry and exit time, this filter is called if the
* audit_state is not low enough that auditing cannot take place, but is
* also not high enough that we already know we have to write an audit
@@ -745,11 +761,8 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
rcu_read_lock();
if (!list_empty(list)) {
- int word = AUDIT_WORD(ctx->major);
- int bit = AUDIT_BIT(ctx->major);
-
list_for_each_entry_rcu(e, list, list) {
- if ((e->rule.mask[word] & bit) == bit &&
+ if (audit_in_mask(&e->rule, ctx->major) &&
audit_filter_rules(tsk, &e->rule, ctx, NULL,
&state, false)) {
rcu_read_unlock();
@@ -769,20 +782,16 @@ static enum audit_state audit_filter_syscall(struct task_struct *tsk,
static int audit_filter_inode_name(struct task_struct *tsk,
struct audit_names *n,
struct audit_context *ctx) {
- int word, bit;
int h = audit_hash_ino((u32)n->ino);
struct list_head *list = &audit_inode_hash[h];
struct audit_entry *e;
enum audit_state state;
- word = AUDIT_WORD(ctx->major);
- bit = AUDIT_BIT(ctx->major);
-
if (list_empty(list))
return 0;
list_for_each_entry_rcu(e, list, list) {
- if ((e->rule.mask[word] & bit) == bit &&
+ if (audit_in_mask(&e->rule, ctx->major) &&
audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
ctx->current_state = state;
return 1;
--
1.9.0
10 years, 4 months
[GIT PULL] CVE-2014-3917
by Andy Lutomirski
[This is my first pull request. I may be doing any number of things wrong.]
Hi Linus,
The following changes since commit f2159d1e99612ceb94bf9a2dc2fbca409d828b1b:
Merge tag 'sound-3.15-rc8' of
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound (2014-05-28
11:17:41 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux.git CVE-2014-3917
for you to fetch changes up to 9fbb05647f3aea17e4e01393bbc42f64ee307409:
auditsc: audit_krule mask accesses need bounds checking (2014-06-09
16:06:40 -0700)
----------------------------------------------------------------
Andy Lutomirski (1):
auditsc: audit_krule mask accesses need bounds checking
kernel/auditsc.c | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
NB: This is exactly the same patch that's been on the list, except
that I added the CVE number to the description.
10 years, 4 months
One challenge for audit - seeking ideas
by Burn Alting
All,
I am looking a ways to counter the situation where a user restarts a
service and hence all that service's auditing events are attributed to
the auid of the user who performed the restart.
That is
a. User logs into system (and pam sets auid)
b. User su's or sudo's up to a service account (auid still the same).
c. User restarts the service
d. All audit events resulting from the service have the user's auid.
At present I am looking at solution that front-end's the
RHEL5/RHEL6 /sbin/service command which sets the auid via a
audit_setloginuid() call and then execv's the service script and command
arguments.
I am interested in any other solutions that people may have implemented
successfully. Especially for the systemd replacement, if it's been done.
Regards
Burn
10 years, 4 months
audit 2.3.7 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Limit number of options in a rule in libaudit
- Auditctl cannot load rule with lots of syscalls (#1089713)
- In ausearch, fix checkpointing when inode is reused by new log (Burn Alting)
- Add PROCTITLE and FEATURE_CHANGE event types
Normally I'd wait a little longer to do a release but a couple things made me
want to keep this one short. The PROCTITLE event is showing up on people's
systems now and we need to support it. The other big change is that people
writing rules with lots of syscalls were getting an error such that the rule
would not load. It took two fixes to get it squared away.
Please let me know if you run across any problems with this release
Thanks,
-Steve
10 years, 4 months
Application audit through auditd
by Burn Alting
Hi Peoples,
Has anyone had experience with using the audit libraries for application
level audit - i.e. your application log events through
audit_log_user_message() library calls?
In particular I am interested in your experiences where you have
applications generating a lot of audit records through this interface,
but at the same time, implementing, say the STIG rules along with execve
auditing. That is adding
-a exit,always -F arch=b32 -S execve -k cmds
-a exit,always -F arch=b64 -S execve -k cmds
to the stig.rules file found in either /usr/share/doc/audit-2.2 or the
contrib directory in the audit source.
Although I haven't done any testing yet, my supposition is that, on
systems that are doing a lot of execve's, then the use of the
audit_log_user_message() interface slows down the applications as they
are waiting on the netlink kernel queues.
Any comments before I start my investigations?
Regards
Burn
10 years, 5 months
RE: EXT :Need help, we are receiving type=SYSCALL with auid=unset event entries
by Briane Lin
Thanks Kevin.
The systems are at RHEL server release 6.5 (Santiago)
audit.conf and audit.rules shown below from two systems.
Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin(a)us.ibm.com
(Office): (720) 395-2049
"The only easy day was yesterday."
- US Navy Seals -
From: "Boyce, Kevin P (AS)" <Kevin.Boyce(a)ngc.com>
To: Briane Lin/Phoenix/IBM@IBMUS
Date: 06/04/2014 07:00 AM
Subject: RE: EXT :Need help, we are receiving type=SYSCALL with
auid=unset event entries
You might get some better help if you can be a bit more specific.
What version of auditd, kernel, etc. are you running?
What do the contents of your audit.rules and auditd.conf files look like?
From: linux-audit-bounces(a)redhat.com [
mailto:linux-audit-bounces@redhat.com] On Behalf Of Briane Lin
Sent: Tuesday, June 03, 2014 4:29 PM
To: linux-audit(a)redhat.com
Subject: EXT :Need help, we are receiving type=SYSCALL with auid=unset
event entries
We are receiving LINUX RHEL versions 5 and 6 in our environment with
type=SYSCALL and auid=unset event types.
We are unable to properly monitor an event with AUID=unset, does anyone
know why we are currently seeing these and what is the resolution?
Thanks!
Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin(a)us.ibm.com
(Office): (720) 395-2049
"The only easy day was yesterday."
- US Navy Seals -
10 years, 5 months
Need help, we are receiving type=SYSCALL with auid=unset event entries
by Briane Lin
We are receiving LINUX RHEL versions 5 and 6 in our environment with
type=SYSCALL and auid=unset event types.
We are unable to properly monitor an event with AUID=unset, does anyone
know why we are currently seeing these and what is the resolution?
Thanks!
Briane Lin
IBM Global Technology Services - Americas
Identity and Access Management, Automation Solutions
(Email): brlin(a)us.ibm.com
(Office): (720) 395-2049
"The only easy day was yesterday."
- US Navy Seals -
10 years, 5 months
[PATCH 0/2] Syscall auditing lite
by Andy Lutomirski
I've made no secret of the fact that I dislike syscall auditing. As far
as I can tell, the main technical (i.e. not compliance-related) use of
syscall auditing is to supply some useful context information to go
along with events like AVC denials.
CONFIG_AUDITSYSCALL is serious overkill to do this. kernel/auditsc.c is
~2500 lines of terror.
This patchset accomplishes the same goal, more usefully, with no
overhead at all, in under 70 lines of code. It tries to coexist cleanly
with CONFIG_AUDITSYSCALL.
This is only implemented for x86. Other architectures can add support
fairly easily, I think.
Andy Lutomirski (2):
x86,syscall: Add syscall_in_syscall to test whether we're in a syscall
audit: Syscall auditing lite
arch/x86/Kconfig | 1 +
arch/x86/include/asm/syscall.h | 21 ++++++++++++++++++++
init/Kconfig | 3 +++
kernel/audit.c | 44 +++++++++++++++++++++++++++++++++++++++++-
4 files changed, 68 insertions(+), 1 deletion(-)
--
1.9.3
10 years, 5 months